[Asrg] Replay attack
Franck Martin
franck at avonsys.com
Tue Jan 13 17:05:35 PST 2009
Hi all,
I received an error report that an email could not be delivered to abuse at genocide.ru. The email that was tried to be sent is below.
What is interesting, the email seems to be geniune enough, with a DKIM and DomainKey signature.
1) Do anyone knows where on the web I could paste this email and verify the DKIM ? A kind of web form.
2) The return-path has been forged and it seems to me they proceeded this way, generate a legitimate DKIM signed email on legitimate MTA, strip a few headers and mass-mail directly to everyone? RCPT TO does not have to match the TO in the header. What gives me a hint is that the received headers do not follow each others. Any tips, info to prevents such problems? Or by doing only a DKIM verification, this would tell me this message is forged?
Here are only the headers of the email I received in a NDR.
-------------------------------
Return-path: <abuse at genius.com>
Received: from broadband-77-37-184-167.nationalcablenetworks.ru ([77.37.184.167] helo=list.mediresource.com)
by direct.va.ru with smtp (Exim 4.53)
id 1LMsMZ-0003zp-62
for abuse at genocide.ru; Wed, 14 Jan 2009 02:07:59 +0300
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
s=v1; d=rodale.delivery.net;
h=DKIM-Signature:Received:Date:From:Reply-to:To:Message-ID:Subject:Errors-to:MIME-Version:Content-Type:X-eid:X-pid;
b=KxLNSrM9OzjsF/CMM45qFlc0DKKuizMQ2qWRehZCpFy02QKiFV77rJnRdPOL05om
cV0wWuLpX1/TssBxGG61McgmU7b5wRtM3XUlZ0ox33uNNiFkl58VgHIIVXNDDwjc
SltQL4r5m5CFxLxC5ifJyVJYw2s12bMZc62AVktX7V4=
DKIM-Signature: v=1; a=rsa-sha1; d=rodale.delivery.net; s=v1; c=simple/simple;
q=dns/txt; i=@rodale.delivery.net; t=1231488648;
h=From;
bh=F6VyhuMIBItRiT4Rd3AjarPIreY=;
b=jU/ncyJ4g53pvr2on0cSjHW0pxtZqApuauJuTV9XlPVJXFY2vvS4zzs5eiJqpZ2i
j56GjtfxU1pWScXrwstgIwm1vb4SxvpN2qhf4uMxeGpsZM3Z5lD9j9GuEMAUME+R
oiXm9l4kbSw2zIJ7NP65e9dErI20MZRscu6F6u20dx8=;
Received: from [192.168.138.141] ([192.168.138.141:53703] helo=fc14a2.dc1.prod)
by oms2.dc1.prod (envelope-from <MensHealth at rodale.delivery.net>)
(ecelerity 2.2.2.36 r(26875/27517M)) with ESMTP
id EF/26-77607-64778138; Wed, 14 Jan 2009 02:05:15 +0300
From: Men's Health <MensHealth at rodale.delivery.net>
Reply-to: MensHealth at rodale.delivery.net
To: abuse at genocide.ru
Message-ID: <20090114050515.6743.qmail at list.mediresource.com>
Subject: RE: Bigger snake for few days n few bucks
Errors-to: MensHealth at rodale.delivery.net
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-eid: 2.5.3K5.2hv.12hk7c.CdQNXI..N..1TKO.CTbQEQf0
X-pid: 962
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.irtf.org/pipermail/asrg/attachments/20090114/f8c086bb/attachment.htm>
More information about the Asrg
mailing list